Patents by Inventor Mihai Christodorescu

Mihai Christodorescu has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20220353058
    Abstract: A method includes a first user device generating an interaction message. The interaction message includes an amount, an expiry time, and a condition. The first user device provides the interaction message to a second user device. The second user device creates a witness that satisfies the condition and provides the witness to the first user device. The first user device receives the witness from the second user device. The first user device verifies that the witness satisfies the condition. If the witness satisfies the condition and is received prior to the expiry time, the first user device signs the witness using a first user device private key to obtain a signed witness. The first user device provides the signed witness to the second user device. The second user device verifies a signature of the signed witness and proceeds with obtaining the amount.
    Type: Application
    Filed: July 8, 2022
    Publication date: November 3, 2022
    Applicant: Visa International Service Association
    Inventors: Ranjit Kumaresan, Mahdi Zamani, Srinivasan Raghuraman, Mihai Christodorescu, Mohammad Mohsen Minaei Bidgoli
  • Patent number: 11379384
    Abstract: A technique for oblivious filtering may include receiving an input data stream having a plurality of input elements. For each of the input elements received, a determination is made as to whether the input element satisfies a filtering condition. For each of the input elements received that satisfies the filtering condition, a write operation is performed to store the input element in a memory subsystem. For those of the input elements received that do not satisfy the filtering condition, at least a dummy write operation is performed on the memory subsystem. The contents of the memory subsystem can be evicted to an output data stream when the memory subsystem is full. The memory subsystem may include a trusted memory and an unprotected memory.
    Type: Grant
    Filed: September 27, 2019
    Date of Patent: July 5, 2022
    Assignee: VISA INTERNATIONAL SERVICE ASSOCIATION
    Inventors: Abhinav Aggarwal, Rohit Sinha, Mihai Christodorescu
  • Publication number: 20220021537
    Abstract: Methods and systems for privacy-preserving identity attribute verification are presented. During an interaction between a relying entity and a user, a relying entity computer can transmit a policy token to a user device. The policy token may indicate the information needed by the relying entity in order to perform the interaction. The user device can verify the policy token, then use the policy token in conjunction with an identity token to generate a zero-knowledge proof. The user device may transmit the zero-knowledge proof to an identity service provider computer. The identity service provider computer may verify the zero-knowledge proof, then generate a verification message. The identity service provider computer may sign the verification message and transmit the signed verification message to the relying entity computer. The relying entity computer may verify the verification message and complete the interaction with the user.
    Type: Application
    Filed: July 14, 2020
    Publication date: January 20, 2022
    Inventors: Kim Ritter Wagner, Sunpreet Singh Arora, Gaven James Watson, Mihai Christodorescu, Shashank Agrawal
  • Publication number: 20220004507
    Abstract: A technique for oblivious filtering may include receiving an input data stream having a plurality of input elements. For each of the input elements received, a determination is made as to whether the input element satisfies a filtering condition. For each of the input elements received that satisfies the filtering condition, a write operation is performed to store the input element in a memory subsystem. For those of the input elements received that do not satisfy the filtering condition, at least a dummy write operation is performed on the memory subsystem. The contents of the memory subsystem can be evicted to an output data stream when the memory subsystem is full. The memory subsystem may include a trusted memory and an unprotected memory.
    Type: Application
    Filed: September 27, 2019
    Publication date: January 6, 2022
    Inventors: Abhinav Aggarwal, Rohit Sinha, Mihai Christodorescu
  • Publication number: 20210409405
    Abstract: An initiator device can broadcast a witness request to one or more authentication devices. The one or more authentication devices can then determine an assurance level from a range of assurance levels and determine a token share corresponding to the assurance level. The initiator device can then receive, from the one or more authentication devices, at least one witness response comprising the token share corresponding to the assurance level. The initiator device can generate an authentication token using a set of token shares. The initiator device can then transmit the authentication token to an authentication server, wherein the authentication server verifies the authentication token.
    Type: Application
    Filed: August 30, 2019
    Publication date: December 30, 2021
    Inventors: Mastooreh Salajegheh, Shashank Agrawal, Eric Le Saint, Payman Mohassel, Mihai Christodorescu
  • Publication number: 20210392115
    Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.
    Type: Application
    Filed: August 31, 2021
    Publication date: December 16, 2021
    Inventors: Rohit Sinha, Mihai Christodorescu
  • Patent number: 11140134
    Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.
    Type: Grant
    Filed: November 13, 2018
    Date of Patent: October 5, 2021
    Assignee: VISA INTERNATIONAL SERVICE ASSOCIATION
    Inventors: Rohit Sinha, Mihai Christodorescu
  • Publication number: 20210306366
    Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.
    Type: Application
    Filed: June 10, 2021
    Publication date: September 30, 2021
    Inventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
  • Patent number: 11063973
    Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.
    Type: Grant
    Filed: August 20, 2018
    Date of Patent: July 13, 2021
    Assignee: Visa International Service Association
    Inventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
  • Publication number: 20210192509
    Abstract: Methods are provided for maintaining user privacy, and may include establishing a secret key for communication between a plurality of user devices, the plurality of user devices including a first user device associated with a requesting user and a second user device associated with a second user, wherein at least one server computer does not have access to the secret key; receiving from the first user device, a split-payment request message comprising encrypted data, the encrypted data included in the split-payment request message encrypted based on the secret key; generating an encrypted balance for the requesting user and the second user based on the encrypted data of the split-payment request message; and transmitting to the second user device, a split-payment confirmation message including the encrypted balance for the requesting user and/or the second user. Systems and computer program products are also provided.
    Type: Application
    Filed: August 29, 2019
    Publication date: June 24, 2021
    Inventors: Saba Eskandarian, Payman Mohassel, Mihai Christodorescu
  • Publication number: 20200120121
    Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.
    Type: Application
    Filed: August 20, 2018
    Publication date: April 16, 2020
    Inventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
  • Patent number: 10536867
    Abstract: Systems, methods, and devices of the various aspects enable detecting a malfunction caused by radio frequency (RF) interference. A computing device processor may identify a location of the computing device based on a plurality of real-time data inputs received by the computing device. The processor may characterize an RF environment of the computing device based on the identified location and the plurality of real-time data inputs. The processor may determine at least one RF emissions threshold based on the characterization of the RF environment. The processor may compare the characterization of the RF environment to the at least one RF emissions threshold, and may perform an action in response to determining that the characterization of the RF environment exceeds the at least one RF emissions threshold.
    Type: Grant
    Filed: February 12, 2015
    Date of Patent: January 14, 2020
    Assignee: QUALCOMM Incorporated
    Inventors: Mastooreh Salajegheh, Govindarajan Krishnamurthi, Rajarshi Gupta, Mihai Christodorescu, Vinay Sridhara, Patrick Hughes
  • Patent number: 10410127
    Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.
    Type: Grant
    Filed: October 23, 2017
    Date of Patent: September 10, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Mihai Christodorescu, Xin Hu, Douglas L. Schales, Reiner Sailer, Marc Ph. Stoecklin, Ting Wang, Andrew M. White
  • Publication number: 20190268308
    Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.
    Type: Application
    Filed: November 13, 2018
    Publication date: August 29, 2019
    Inventors: Rohit SINHA, Mihai Christodorescu
  • Patent number: 10152465
    Abstract: Various embodiment methods for performing security-focused web crawling by a server may include identifying sensitive data on a first web page, and generating a first document object model (DOM) for the first web page in which the first DOM represents the sensitive data on the first web page. Various embodiments may further include comparing one or more attributes of the sensitive data in the first DOM with the one or more attributes of the sensitive data in a second DOM for a second web page, and determining whether the first web page is different from the second web page based on the comparison of the one or more attributes of the sensitive data in the first DOM and the second DOM.
    Type: Grant
    Filed: December 20, 2016
    Date of Patent: December 11, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Mihai Christodorescu, Alexey Aliev, Dinakar Dhurjati, Hilmi Gunes Kayacik
  • Patent number: 10127018
    Abstract: Various embodiments include methods for dynamically modifying shared libraries on a client computing device. Various embodiment methods may include receiving a first set of code segments and a first set of code sites associated with a first application. Each code in the first set of code sites may include an address within a compiled shared library stored on the client computing device. The compiled shared library may include one or more dummy instructions inserted at each code site in the first set of code sites, and each code segment in the first set of code segments may be associated with a code site in the first set of code sites. The client computing device may insert each code segment in the first set of code segments at its associated code site in the compiled shared library.
    Type: Grant
    Filed: March 30, 2016
    Date of Patent: November 13, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Sudha Anil Kumar Gathala, Mihai Christodorescu, Mastooreh Salajegheh
  • Patent number: 10102368
    Abstract: Various embodiments may include methods, devices, and non-transitory processor-readable media for performing information flow tracking during execution of a software application. A hybrid static/dynamic analysis may be used to track information flow during execution of a software application. In various embodiments, the method may predict a multiple paths of execution, and may utilize these predictions to analyze only actually executing software code. By analyzing only actually executed software code, the method may provide a lightweight and resource-efficient way of detecting actual data leaks as they occur during execution of a software application.
    Type: Grant
    Filed: January 20, 2016
    Date of Patent: October 16, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Mastooreh Salajegheh, Mikhail Kazdagli, Mihai Christodorescu
  • Patent number: 10063585
    Abstract: Methods, and devices implementing the methods, use device-specific classifiers in a privacy-preserving behavioral monitoring and analysis system for crowd-sourcing of device behaviors. Diverse devices having varying degrees of “smart” capabilities may monitor operational behaviors. Gathered operational behavior information may be transmitted to a nearby device having greater processing capabilities than a respective collecting device, or may be transmitted directly to an “always on” device. The behavior information may be used to generate behavior vectors, which may be analyzed for anomalies. Vectors containing anomaly flags may be anonymized to remove any user-identifying information and subsequently transmitted to a remote recipient such as a service provider or device manufacture.
    Type: Grant
    Filed: March 18, 2015
    Date of Patent: August 28, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Mastooreh Salajegheh, Mona Mahmoudi, Vinay Sridhara, Mihai Christodorescu, Gheorghe Calin Cascaval
  • Publication number: 20180219881
    Abstract: Embodiments include computing devices, apparatus, and methods implemented by the apparatus for implementing anomalous hypertext transfer protocol (HTTP) event detection on a computing device. The computing device may receive an HTTP response, from a web application, having a first semi-structured data of a uniform resource locator (URL), store the first semi-structured data, compare a first plurality of stored semi-structured data of a plurality of URLs of a plurality of HTTP responses from the web application, identify a pattern in the first plurality of stored semi-structured data, define a first invariant for the HTTP response based on an identified pattern, and defining a first generic feature for the first invariant.
    Type: Application
    Filed: January 31, 2017
    Publication date: August 2, 2018
    Inventors: Hilmi Gunes Kayacik, Dinakar Dhurjati, Mihai Christodorescu, Alexey Aliev
  • Publication number: 20180198812
    Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media for detecting anomalies in network traffic patterns with a network device by analyzing patterns in network traffic packets traversing the network. Various embodiments include clustering received network traffic packets into groups. The network device receives data packets originating from an endpoint device and analyzes the packets for patterns. The network device may apply a traffic analysis model to the clusters to obtain context classes. The network device may select a behavior classifier model based, at least in part, on the determined context class, and may apply the selected behavior classifier model to determine whether the packet behavior is benign or non-benign.
    Type: Application
    Filed: January 11, 2017
    Publication date: July 12, 2018
    Inventors: Mihai Christodorescu, Shuhua Ge, Nayeem Islam, Hilmi Gunes Kayacik